Yeah, you really want to be running a minimum number of services on a public web server. In addition to 80 and 443, ssh and smtp ports (typically 22 and 25) are fairly common on web servers.
Some of the Bastille scripts (and other security hardening measures) have to do with local exploits and security holes, i.e., local users being stupid and/or malicious. You have to consider things like setuid bits on certain binaries, not giving out root passwords and restricting people to sudo, etc.
I also forgot to mention Tripwire; configure it and run the scan nightly. And don't forget those backups! Your data is the most important thing; if you don't have recent backups, well, you're screwed.
